In a win for cryptocurrency businesses and privacy advocates, the UK Government has signalled its intention to change a proposal which would have required cryptocurrency firms to collect personal data from individuals using “unhosted” or “non-custodial" wallets for the transfer of digital assets.
Following its consultation, the Government reversed its original proposal to require verification. This news will likely be welcomed by banks and cryptocurrency businesses, as mandating verification would have imposed a significant burden. Some have also argued that this regulation could stifle innovation in the sector by restricting resources to some businesses.
What are hosted and unhosted wallets?
A cryptocurrency wallet holds private keys which allow users to access cryptocurrency and make transactions. Wallets can be hardware or software based.
Many cryptocurrency users use “hosted” or “custodial” wallets. These are digital accounts hosted by third-party financial institutions, which allow users to make cryptocurrency transactions. Hosted wallets tend to be favoured by new users due to their ease of use and the ability to recover passwords should they be lost or forgotten. Cryptocurrency exchanges offer these kinds of wallets for their account holders.
Some users favour “unhosted” or “non-custodial” wallets. These allow users to control cryptocurrency balances outside exchanges. Typically, these kinds of wallets use hardware or software such as mobile phone apps. They tend to be more flexible than hosted wallets and are often configurable to increase privacy. They offer complete control of the private keys needed to make transactions. Many users feel more comfortable with non-custodial wallets as they remove a third-party between the user and their cryptocurrency.
Background to the reversal
Anti-money laundering bodies such as the Financial Action Task Force (FATF) and the US FinCEN (Financial Crimes Enforcement Network) have both scrutinised the risks associated with unhosted wallets in their guidance. FATF introduced the “Travel Rule” in 2019, which advised institutions to collect and share customer data for transactions over $1,000. In December 2020, FinCEN proposed that institutions be required to submit a full report for transactions involving an unhosted wallet where the value of the transaction is greater than $10,000.
In an earlier report from the Treasury in July 2021, the UK Government had signalled that cryptocurrency transactions would fall under the FATF standards and therefore this latest guidance is a significant U-turn for the authorities.
What has the UK Government proposed?
The UK’s HM Treasury, which is responsible for developing and executing the Government’s public finance and economic policy, published a report on 15 June which reported the outcomes of a consultation on proposed steps to amend the UK Money Laundering Regulations (MLRs). The consultation involved responses from anti-money laundering experts, supervisors, industry, civil society, academia and Government departments. Among the many questions for consultation, it specifically asked respondents to consider if a Virtual Asset Service Providers (VASP), such as a cryptocurrency exchange, should be required to obtain originator information from its own customer where it has received a transfer from an unhosted wallet.
Responses were mixed, with some supporting the original proposal to mandate verification on the basis that it was important for both parties of a transaction to be known and that unhosted wallets should be viewed as higher risk. Those that opposed the original proposal cited proportionality as the deciding factor – they felt the burden of imposing this requirement on firms would outweigh the benefits of preventing illicit finance. This group opposed the original proposal on the grounds that unhosted wallets do not present an increased risk of illicit finance, with the percentage of transfers connected to crime broadly in line with that seen across the market.
Following this feedback, the Government has said that instead of mandatory collection of beneficiary and originator information for all unhosted wallet transfers, firms will only need to collect these details for transactions identified as high risk.
Observations
In practical terms, firms may find it very burdensome to adhere to guidance which requires this kind of verification. In essence, it may mean attempting to regulate what wallet software is available in different countries. An unintended consequence of this could be that instead of developing compliant software, wallet software firms could seek to block access in countries where the rule is enforced, reducing access to consumers.
The UK has indicated it is starting to take cryptoasset regulation seriously with the Government recently announcing plans to introduce two new bills to support the “safe adoption of cryptocurrencies" and provide authorities more powers to "seize and recover crypto assets”. However, some have argued that the UK remains behind the curve on regulation.
Criminal use of cryptocurrency remains at the top of the agenda for lawmakers due to an increased prevalence in adoption and abuse by fraudsters, extortionists and money launderers. Many of the tools and techniques used by law enforcement for tracing stolen cryptocurrency are also available to private investigators and law firms operating in the civil arena. If stolen crypto is traced into a customer account held at a third-party cryptocurrency exchange or service, it may be possible to obtain court-ordered disclosure from the third party. This can reveal the identity of the customer who received the funds and thereby help to expose the perpetrators of the fraud. It may also be possible to obtain an order freezing the account in question or the funds therein, pending recovery action. Pursuing civil remedies should be considered in the event of frauds and thefts involving cryptocurrencies.
Mishcon de Reya litigators and our investigations practice, MDR Cyber, frequently use tracing techniques to chase the money from frauds, thefts and hacks and work together to secure legal orders to compel disclosure of information, freezing of funds and recover losses on behalf of our clients. For more information contact mdrcyber@mishcon.com.